-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathASPNetPagesValidateRequest.qhelp
More file actions
51 lines (39 loc) · 1.2 KB
/
ASPNetPagesValidateRequest.qhelp
File metadata and controls
51 lines (39 loc) · 1.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
Request validation is a feature in ASP.NET that protects web applications against
potentially malicious content in requests, specifically against
cross-site scripting attacks (XSS).
</p>
</overview>
<recommendation>
<p>
Enable the directive <code>validateRequest</code> in your <code>web.config</code> file:
<code>
<pages validateRequest="true" />
</code>
</p>
</recommendation>
<example>
<p>
The following example shows the <code>validateRequest</code> flag set to <code>false</code>
in a <code>Web.config</code> file for ASP.NET. This will disable validation, and leave
the web application vulnerable against common XSS attacks:
</p>
<sample src="ASPNetPagesValidateRequestBad.config" />
<p>
If <code>validateRequest</code> is set to <code>true</code>, validation is enabled:
</p>
<sample src="ASPNetPagesValidateRequestGood.config" />
</example>
<references>
<li>
MSDN:
<a
href="https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN">
Request Validation in ASP.NET
</a>.
</li>
</references>
</qhelp>